Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Claude Code governance: are your LLM controls keeping up?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: Claude Code sessions can become unmonitored pipelines between developers, proprietary code, and Anthropic’s API unless organisations add centralized LLM governance, according to Kong. That makes cost, auditability, data leakage, and shadow AI the real programme risks, not the model itself.

NHIMG editorial — based on content published by Kong: Governing Claude Code: How To Secure Agent Harness Rollouts with Kong AI Gateway

By the numbers:

Questions worth separating out

Q: How should teams govern AI coding agents that can call external tools?

A: Treat the agent as a governed execution path, not a chat interface.

Q: Why do AI coding agents create more risk than standard developer assistants?

A: Because they can move from suggestion to action.

Q: What signals show that Claude Code or similar tools are operating outside governance boundaries?

A: Look for inconsistent model routing, missing prompt logs, unexplained token spend, tool access that differs by team, and sessions that bypass the central gateway.

Practitioner guidance

  • Route agentic coding traffic through a central AI gateway Require Claude Code sessions to traverse a policy enforcement point that handles authentication, logging, content filtering, and model routing before any request leaves the environment.
  • Separate developer identity from model authentication Do not let individual developers manage direct upstream credentials for model access.
  • Log prompts, responses, and tool calls as change evidence Capture request content, response metadata, model selection, and any tool invocation so compliance teams can reconstruct what the agent saw and did during a session.

What's in the full article

Kong's full blog covers the operational detail this post intentionally leaves for the source:

  • Step-by-step Claude Code routing configuration through Kong AI Gateway for CLI and IDE usage
  • Plugin-level setup for token quotas, prompt logging, and response metadata capture across sessions
  • Specific examples of content filtering and PII redaction rules applied before model submission
  • MCP governance patterns for controlling external tool access as agent scope expands

👉 Read Kong's analysis of governing Claude Code with an AI gateway →

Claude Code governance: are your LLM controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

Claude Code governance is now an identity problem, not just a developer experience problem. Once a coding agent can read repositories, run commands, and call tools, the organisation is governing a non-human execution path that carries code, secrets, and business logic. That makes the control plane part of IAM, PAM, and data governance. The implication is that teams cannot keep treating agentic coding as a point solution sitting outside identity policy.

A few things that frame the scale:

  • 92% agree governing AI agents is critical to enterprise security, yet only 44% have implemented any policies to do so, according to AI Agents: The New Attack Surface report.
  • Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.

A question worth separating out:

Q: What should security teams do before expanding agentic coding to more developers?

A: Establish a common gateway, define what data the agent may send, decide which tools it may reach, and make audit logging mandatory from day one. If the programme cannot reconstruct a session and explain its access path, it is not ready for broad rollout.

👉 Read our full editorial: Claude Code governance needs an AI gateway control plane



   
ReplyQuote
Share: